May 2014

May 29, 2014

Neat story last week from ArsTechnica about how the FBI withdrew a national security letter targeting an Office 365 enterprise customer following Microsoft's court challenge to a provision of the letter gagging the company from informing the target.

Microsoft's General Counsel Brad Smith wrote in a blog post, "In this case, the Letter included a nondisclosure provision and we moved forward to challenge it in court. We concluded that the nondisclosure provision was unlawful and violated our Constitutional right to free expression. It did so by hindering our practice of notifying enterprise customers when we receive legal orders related to their data."

Last year, a federal judge ruled that these gag orders violate the First Amendment rights of those receiving them and she declared the letters unconstitutional. The decision has been stayed and is pending appeal.

The name of the targeted Microsoft customer was blacked out in the records. The 2013 national security letter was not included in the documents. Ultimately, the authorities managed to get the information directly from Microsoft's customer.

Still, it is heartening to see companies like Microsoft standing up to the government and endeavoring to protect their customers. Way to go Microsoft.

May 28, 2014

You don't often get to say, "It started in Australia" with respect to technology, but the current wave of attacks on Apple products does indeed seem to have struck Australia first. According to a BGRstory, users of MACs, iPhones and iPad woke up yesterday in Australia to find that their devices had been locked using Apple's Find My IPhone, Find my iPad and Find My Mac features.

These features were meant to allow users to remotely locate stolen or lost Apple devices and to lock those devices. Hackers have been able to compromise Apple's iCloud-based remote device locking feature to lock the devices, displaying a message on the devices that demands a ransom be paid via PayPal to have the devices unlocked. Though the locking is real enough, it is, as I write, unclear whether the demand for payment is actually a hoax.

BGR recommends having a PIN enabled on the devices as well as utilizing two-factor authentication to protect iCloud accounts. I'm sure we'll hear more on this story as the facts develop . . .

May 27, 2014

As my British friends would say, "Bollocks." But that is what former NSA Director, General Keith Alexander, has claimed. He has stated, "I think he is now being manipulated by Russian intelligence. I just don't know when that exactly started or how deep it runs"

I know how much this statement aggravated me because it has stayed in my Inbox until I had time to write about it.

Did Snowden want to go to Russia? No. Was he trapped there? Yes.

Does Alexander have a scintilla of evidence to back up his claim? Of course not. The tarring and feathering of Snowden just continues to run amok - and each such incident only deepens the skepticism of most Americans about what the heck their government is doing.

As for Russian manipulating Snowden, given his history, that seems laughable. Why would they bother? Hey, Putin is NOT a nice guy, but the smart play (and he is a smart guy) is to leave Snowden alone to "be Snowden." He'll continue to be a gadfly to the NSA and others. He doesn't need any puppet strings.

I'm sure many RTL readers will be watching the Brian Williams' interview with Snowden tomorrow at 10 p.m. Eastern. It will no doubt spark plenty of water cooler conversations the next day. And I heard on the news this morning that, shortly (whether in the interview or elsewhere) we will have revelations about some of the people the NSA has been keeping tabs on. Should be interesting, to say the least. Stay tuned.

May 22, 2014

It is a mantra with us to terminate employees quickly, following a written list of procedures to keep them from doing harm. Here's another story to underscore the importance of doing exactly that.

It was recently reported that a former network engineer at EnerVest Operating, LCC, in Charleston W.V., was sentenced to four years in prison for causing severe damage to his employer's computer system. EnerVest manages oil and gas exploration and production operations for EnerVest Ltd., a major national oil and gas holding company.

Ricky Joe Mitchell, 35, admitted that in June 2012, shortly after he learned he was going to be fired, remotely accessed EnerVest's computer system and reset the company's network servers to factory settings, essentially eliminating access to all of the company's data and applications for the eastern US operations.

Before his access to EnerVest was terminated, Mitchell went to the office after business hours, disconnected critical pieces of computer-network equipment and disabled the equipment's cooling system. EnerVest was unable to fully communicate or conduct business operations for nearly 30 days.

The company spent hundreds of thousands of dollars trying to recover historical data from its network servers. Some data was lost forever.

In addition to his prison sentence, Mitchell was ordered to pay $428,000 in restitution to the company and pay a $100,000 fine.

If you're going to fire someone, don't let a lot of people know - and do it quickly - making sure all physical and remote access to data is cut before or during the meeting in which the employee is fired.

May 21, 2014

A great resource from the ABA's Legal Technology Resource Center (free to all) is their "Cloud Ethics Opinions Around the U.S." No matter where we are - or even what we're speaking on - we always get asked by lawyers about the ethics of moving to the cloud. It is nice to have all these opinions in a single place.

Bravo LTRC and hat tip to Brett Burney for pointing that site out at the Virginia State Bar TECHSHOW!

May 20, 2014

The FCC proposed allowing an Internet "fast line" last week to the dismay of many. As an article in Time pointed out, this would give faster service to content companies willing and able to pay for the privilege. The notion of having "heavy hitters" keeping new competitors out did not sit well with many.

Where, pray tell, is the "neutrality" in having an Internet fast lane?

The 3-2 vote was on party lines and left the proposals up for comment for four months.

The proposals allow paid prioritization, but only, according to the FCC, where it is not anti-competitive and doesn’t harm consumers. They include the development of a “rigorous, multi-factor ‘screen’ to analyze whether any conduct hurts consumers, competition, free expression and civic engagement, and other criteria under a legal standard termed ‘commercial reasonableness’.” My take is that any such move is just the beginning of a race to be a player in the coveted fast lane - with no rigorous screening actually implemented.

The FCC is promising to consider whether broadband should be redefined as a public utility placing it under Title II authority. This would mean much tighter oversight than is currently possible under Section 706 of the Telecommunications Act of 1996.

May 19, 2014

You might as well start off the week with a laugh. John found this solicitation on FedBizOpps. Taken directly from the solicitation: "The Federal Bureau of Investigation has a requirement for malware."

And apparently it wants LOTS of malware. John's first thought is that the FBI wants to ride its own malware on the malware of others. In a crazy world, that makes perfect sense.

May 15, 2014

The New York Timesreported Tuesday on a decision that has garnered worldwide attention.

Europe’s highest court, the European Court of Justice in Luxembourg, ruled that people have the right to influence what the world can learn about them through online searches. The court said that search engines like Google should allow users to be "forgotten" after a period of time by erasing links to web pages unless there are "particular reasons" not to do so.

Under the court’s ruling, information would still exist on websites, court documents and online archives of newspapers, but people would not necessarily know it was there. The decision cannot be appealed.

In the United States, the court’s ruling would clash with the First Amendment. But the Europeans have always seen privacy through a different lens. This decision spotlights their concern with information about them, including drunk photos from college, following them around forever.

The court said search engines were not simply dumb pipes, but played an active role as data “controllers,” and must be held accountable for the links they provide. Search engines could be compelled to remove links to certain pages, it said, “even when the publication in itself on those pages is lawful.” The court also said that a search engine “as a general rule” should place the right to privacy over the right of the public to find information.

Google has more than 90 percent of the search business in France and Germany and is the dominant search engine in Europe - therefore the burden of fulfilling the court's order will fall largely on Google.

Google said in a statement that the ruling was “disappointing” and that the company was “very surprised” it differed so much from a preliminary verdict last year that was largely in its favor.

The decision leaves many questions unanswered. Is information to be dropped only in individual countries or erased from Google.com itself? How much effort must Google spend investigating complaints?

Many people are worried about politicians and others with something to hide using this ruling to do so. “The principle that you have a right to be forgotten is a laudable one, but it was never intended to be a way for people to rewrite history,” said Emma Carr, the acting director of Big Brother Watch, a London-based civil liberties group.

For companies that charge large fees to help people get negative information buried in the search engines, this is a not a decision they are cheering. And on this side of the pond, most commentators (myself including) think this is a bad solution to a (sometimes) legitimate problem.

May 14, 2014

Another day, another Snowden leak. This story came from ArsTechnica yesterday. Apparently, the NSA can "work around" Skype crypto - another reason for lawyers (and many others) to avoid Skype.

It is clear the NSA has obtained buddy lists, credit card info, call records, user account data and unspecified "other material" with over 2800 reports issued since April 2011 based on PRISM Skype collection.

I do appreciate that these leaks always come just before one of our cybersecurity presentations. You can always rely on the NSA to provide "trending topics."

May 13, 2014

Last week, the New York Times reported on Snapchat's settlement with the Federal Trade Commission (FTC). The FTC charged that the company misrepresented the ephemeral nature of the messages (snaps) and didn't take adequate security measures with respect to the data it collected - which resulted in a data breach earlier this year that leaked information, including usernames, passwords and phone numbers, of up to 4.6 million users.

It was no surprise to me that the images were not ephemeral. Our forensics testing here indicated that we could often recover the images. And if they were opened in another app, that app could preserve them.

The FTC also said that video snaps were stored in unencrypted storage areas outside the app's sandbox and collected iOS users' contact information from their address books without notice or consent. That came as news to me - as I am sure it did to many iOS users.

Snapchat has agreed to put in place a privacy program under which it will be monitored for 20 years by a third party. No fine was announced as part of the settlement.

Glad the data breach finally drew the FTC's attention. Remember, if it sounds too good to be true, it probably is. Your mom was right!

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.